CVE-2025-54424
BaseFortify
Publication date: 2025-08-01
Last updated on: 2025-08-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fit2cloud | 1panel | to 2.0.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Upgrade 1Panel to version 2.0.6 or later, as this version fixes the incomplete certificate verification issue that leads to unauthorized access and remote code execution.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to gain unauthorized access to the 1Panel interface and execute commands remotely with high privileges. This can lead to full compromise of the affected Linux server, including control over websites, files, containers, databases, and LLMs managed by 1Panel.
Can you explain this vulnerability to me?
This vulnerability exists in 1Panel versions 2.0.5 and below, where the HTTPS protocol used between the Core and Agent endpoints does not fully verify certificates during validation. This incomplete certificate verification allows unauthorized access to the interface. Because 1Panel includes many command execution and high-privilege interfaces, this unauthorized access can lead to Remote Code Execution (RCE) on the server.